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In this paper, we enrich the ^-calculus with an operator for confidentiality (hide), whose main effect 
is to restrict the access to the object of the communication, thus representing confidentiality in a 
natural way. The hide operator is meant for local communication, and it differs from new in that 
it forbids the extrusion of the name and hence has a static scope. Consequently, a communication 
channel in the scope of a hide can be implemented as a dedicated channel, and it is more secure than 
one in the scope of a new. To emphasize the difference, we introduce a spy context that represents a 
side-channel attack and breaks some of the standard security equations for new. To formally reason 
on the security guarantees provided by the hide construct, we introduce an observational theory and 
establish stronger equivalences by relying on a proof technique based on bisimulation semantics. 

1 Introduction 

The restriction operator is present in most process calculi. Its behaviour is crucial for expressiveness (e.g., 
for specifying unbounded linked structures, nonce generation and locality). In the 7i-calculus fl9ll20ll . it 
plays a prominent role: It provides for the generation and extrusion of unique names. In CCS |fl8l , it is 
also fundamental but it does not provide for name extrusion: It limits the interface of a given process with 
its external world. In this paper we shall extend the 7i-calculus with a hiding operator, called hide, that 
behaves similarly to the CCS restriction. The motivation for our work comes from the realm of secrecy 
and confidentiality: we shall argue that hide allows us to express and guarantee secret communications. 

Motivation. Secrecy and confidentiality are major concerns in most systems of communicating agents. 
Either because some of the agents are untrusted, or because the communication uses insecure channels, 
there may be the risk of sensitive information being leaked to potentially malicious entities. The price 
to pay for such security breaches may also be very high. It is not surprising, therefore, that secrecy and 
confidentiality have become central issues in the formal specification and verification of communicating 
systems. 

The 7r-calculus and especially its variants enriched with mechanisms to express cryptographic oper- 
ations, the spi calculus [5] and the applied % -calculus [3], have become popular formalisms for security 
applications. They all feature the operator new (restriction) and make crucial use of it in the definition 
of security protocols. The prominent aspects of new are the capability of creating a new channel name, 
whose use is restricted within a certain scope, and the possibility of enlarging its scope by communicat- 
ing it to other processes. The latter property is central to the most interesting feature of the TT-calculus: 
the mobility of the communication structure. 
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Although in principle the restriction aspect of new should guarantee that the channel is used for 
communication within a secure environment only, the capability of extruding the scope leads to security 
problems. In particular, it makes it unnatural to implement the communication using dedicated channels, 
and non-dedicated channels are not secure by default. The spi calculus and the applied 7i-calculus do not 
assume, indeed, any security guarantee on the channel, and implement security by using cryptographic 
encryption. 

Let us illustrate the problem with an example. The following 7i-calculus process describes a protocol 
for the exchange of a confidential information: 

P = s(CreditCard) | s(x).\fx = OwnerCardthen {p(Ok) | p(s)) p^s 

In this specification, the thread on the left sends a credit card number over the channel s to the thread on 
the right which is waiting for an input on the same channel. If the received card number is the expected 
one, then the latter both sends an ack and forwards the communication channel s on a public channel p. 
The problem is that, while the confidentiality of the information would require the context to be unable 
to interfere with the protocol and to steal the credit card number, in fact this is not guaranteed in the 
71-calculus where interaction with a parallel process waiting for input on channel s is allowed. 

To amend this problem, the idea is to let the channel for the exchange of the secret information 
available only to the process P, restricting its scope to P with the declaration: (news)/ 5 . The 7i-calculus 
semantics makes the exchange invisible to the context. This is formalized by the following observational 
equation stating that no 7i-calculus context can tell apart P from its continuation: 

(news)P =S° bs (news)if CreditCard = OwnerCardthen (7?(Ok) | p(s)) (1) 

Unfortunately, to preserve such behavioral equations when processes are deployed in untrusted envi- 
ronments is difficult, since, as explained above, we cannot rely on dedicated channels for communication 
on names created by the new operator. One natural approach to cope with this problem is to map the pri- 
vate communication within the scope of the new into open communications protected by cryptography. 

For instance, the process (news)/ 3 could be implemented in the spi calculus protocol [(news)/ 3 ] 
below by using a public-key crypto-scheme. In this implementation the creation of a TT-calculus channel 
s is mapped into the creation of a couple of spi calculus keys: a public key s + and a private key s~. The 
receiver performs decryption of the crypto-packet {CC} S + with the private key s~; the operation assigns 
the card number to the variable in the conditional test. 

[(news)/ 3 ] = (news + ,s - )(?iiz'({CC} i +).0 | net (y). decrypt y as {x} s - in Q) 
Q = \f x = OCthen«i7({Ok} p +) | net({s + ,s~} p +) 

Unfortunately, the naive protocol above suffers from a number of problems, among which the most 
serious is the lack of forward secrecy HI : this property would guarantee that if keys are corrupted at 
some time t then the protocol steps occurred before t do preserve secrecy. In particular, forward secrecy 
requires that the content of the packet {CC} S + , which is the credit card number, is not disclosed if at some 
step of the computation the context gains the decryption key s~ . Stated differently, the implementation 
[ • ] should preserve the semantics of equation (Q]): that is, it should be fully abstract. It is easy to see that 
this is not the case since a spi calculus context can first buffer the encrypted packet and subsequently, 
whenever it enters in posses of the decryption key, retrieve the confidential information; this breaks 
equation (Q]). While a solution to recover the behavioral theory of % -calculus is available [11], the price 
to pay is a complex cryptographic protocol that relies on a set of trusted authorities acting as proxies. 
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Based on these considerations, in this paper we argue that the restriction operator of Ti-calculus does 
not adequately ensure confidentiality. To tackle this problem, we introduce an operator to program ex- 
plicitly secret communications, called hide. From a programming language point of view, the envisaged 
use of the operator is for declaring secret a medium used for local inter-process communication; exam- 
ples include pipelines, message queues and IPC mechanisms of microkernels. The operator is static: that 
is, we assume that the scope of hidden channels can not be extruded. The motivation is that all processes 
using a private channel shall be included in the scope of its hide declaration; processes outside the scope 
represent another location, and must not interfere with the protocol. Since the hide cannot extrude the 
scope of secret channels, we can use it to directly build specifications that preserves forward secrecy. In 
contrast, we regard the restriction operator of the 7i-calculus, new, as useful to create a new channel for 
message passing with scope extrusion, and which does not provide secrecy guarantees. 

To emphasize the difference between hide and new, we introduce a spy context that represents a side- 
channel attack on the non-dedicated channels. In practice, spy is able to detect whether there has been a 
communication on one of the channels not protected by a hide, but is not able to retrieve its content. 

Contributions. We introduce the secret % -calculus as an extension of the Ti-calculus with an operator 
representing confidentiality (hide). We develop its structural operational semantics and its observational 
theory. In particular, we provide a reduction semantics, a labelled transition semantics and an obser- 
vational equivalence. We show that the observational equivalence induced by the reduction semantics 
coincides by the labelled transition system semantics. To illustrate the difference between hide and new, 
we shall also consider a distinguished process context, called spy, representing a side-channel attack. 

Plan of the paper In the next section we introduce the syntax and the reduction semantics of the secret n- 
calculus. In Section[3]we present the observational equivalence, and a characterization based on labelled 
transition semantics, that we show sound and complete. In Section H] we introduce the spy process, and 
we extend the reduction semantics and bisimulation method accordingly. In Section [5] we discuss some 
algebraic equalities and inequalities of the secret % -calculus, and we analyze some interesting examples, 
notably an implementation of name matching, and a deployment of mandatory access control. Finally, 
Section [6]presents related work and concludes. An extended version of the paper containing all proofs is 
available online fi31 . 

2 Secret ^-calculus 

This section introduces the syntax and the semantics of our calculus, the secret %-calculus. The syntax 
of the processes in Figure Q] extends that of the 7T-calculus lfl9l l20l by: (1) We consider two binding 
operators: new , which - as we will argue - does not offer enough security guarantees, and hide, which 
serves to program secrecy. (2) We use two forms of restricted pattern matching in input, so that we can 
deny a process to receive a (possibly empty) set of channels, or we can enforce a process to receive only 
trusted channels. When in the first form the set of channels is empty we have the standard input of %- 
calculus. We use an infinite set of names jV , ranged over by a,b, .. . ,x,y,z, to represent channel names 
and parameters, i.e. the subjects and the objects of communication, respectively. We let A,B range over 
subsets of JV. 

A process of the form x(y+B).P represents an input where the name x is the input channel name, y 
is a formal parameter which can appear in the continuation P, and B is the set of blocked names that the 
process cannot receive. On contrast, an input process of the form x\y : A] .P declares the object names that 
the process can accept: that is, the process accepts in input a name z only if z € A. This permits to program 
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P,Q ::= Processes: 

x(y^-B).P input (newx)(P) restriction 

x[y:A].P trusted input [hidex] [P] secrecy 

x(y).P output inaction 

P | Q composition IP replication 



Figure 1 : Syntax of the secret TT-calculus 

security protocols where only trusted names can be received. The free and the bound names of such 
process are defined as follows: fn(x[y-=-B] .P) = (fn(P) \ {y}) U jx} Ufi and bn(x[y H-fi] .P) = {y} Ubn(P), 
fn(x(y : A).P) = (fn(P) \ {y}) U {x} UA and bn(x{y : A).P) = {y} Ubn(P). 

Processes x(y).P, (newx)(P), P \ Q, !P, and are the pi calculus operators respectively describing an 
output of a name y over channel x, restriction of x in P, parallel composition, replication and inaction; 
see ll23l for more details. 

The process [hidex] [P] represents a process P in which the name x is regarded as secret, and should 
not be accessible to any process external to P. [hidex] [P] binds the occurrence of x in P: fn( [hidex] [P]) = 
fn(P)\{x}, andbn([hidex][P]) = {x}Ubn(P). 

Contexts are processes containing a hole — . We write C[P] for the process obtained by replacing — 
withPinCf-]. 

C[-\ ::= - | C[-\ \ P | P\C[-] | (newx)[-] | [hidejc] [— ] contexts 

We write x(y).P as a short of x(y 0).P, and omit curly brackets in x(y {^}).P and x\y : {a}].P. 
When no ambiguity is possible, we will remove scope parentheses in (newx)(P) and [hidex] [P]. We will 
often avoid to indicate trailing Os. 

The combination of the accept and the block construct permits to design processes which are not 
subject to interference attacks from the context. We note that their role is dual: the accept operator 
prevents the reception (intrusion) of untrusted names from the environment, and its use is specified by 
the programmer. The block mechanism prevents another process from sending (extruding) a secret name, 
and it is inserted automatically by the system to ensure the protection of such names. One may wonder 
whether we could have used just one form of (trusted) input, and declare the names to be blocked by 
accepting all names in jV but the intended ones. The main reason that guided our choice is that we 
believe that our form of input with blocked names can be effectively implemented, for instance by using 
blacklists. Also, we think that there is a nice symmetry among processes x(y + B).P and (newx)P, and 
among processes x[y : A].P and [hidex]P. 

We embed the block mechanism in the rules for structural congruence through the operation l±l de- 
fined in Figure [2] Blocked names could indeed be introduced both statically and dynamically, i.e. when 
structural congruence is performed during the computation. We leave the time when the system blocks 
explicitly the name in components as an implementation detail. Note that in the second rule of the first 
line the name b is guaranteed to be different from all the names in A, because in the congruence rule for 
hide (cfr same Figure) the free names of Q are required to be different from the name we want to hide, 
so the alpha conversion should be applied . 

Following standard lines, we define the semantics of our calculus via a reduction relation, also spec- 
ified in Figure [H We assume a capture-free substitution operation {z/y}- the process P{z/y} is obtained 
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Rules for blocking a name 

(x(y + B).P)Ub = x(y + BU{b}).(P\Sb) (x\y:A].P)Wb = x\y:A].(P\Hb) 
((newx)(P))bJ* = f (newx)(PWfe)* ([hidex][P])W6 = [hide*] [/»«*»]* (*)fc^* 

Hpf Hpf 

(x(y).P)ttb = x{y).(P\Sb) (P \ Q)&b = PMb \ QWb 

Hpf Hpf 

(\P)\£b = \(P\£b) OttJfc = 

Rules for structural congruence 

P\Q = Q\P (P\Q)\J = P\(Q\J) \P = P\\P 

(new*)(0)=0 [hidejc][0] =0 
(newx) (P)\Q= (new x) (P | Q) x fn(Q) 
[hidex][P] \Q=[h\dex][P \ Q\Hx] x^fii(Q) 
(newx)([hidey][P]) = [hidey][(newx)(P)] x^y 

Reduction rules , n 

x(y + B).P\x(z).Q^ P{z/y}\Q 
z e A 

xty:A].P|x(z).G-^P{zM|G 
P -)• P' P ->• P' 

(newx)(P) (newx)(P / ) [hidex][P] [hidex][P ; ] 
P -)■ P' P = Q Q^t Q' Q'=P' 

P\Q-> P'\Q P ->■ P' 

Figure 2: Reduction semantics 



[R-COM] 
[R-T-COM] 
[R-New],[R-Hide] 
[R-Par],[R-Struct] 



from P by substituting all the free occurrences of y by z. As usual, we use a structural congruence = 
to rearrange processes. Such congruence includes the equivalence induced by alpha-conversion, and the 
relations defined in Figure |2 The rules for the 7i-calculus operators (first line) are the standard ones. 
The rules for inaction under a binder follow (second line). We recall that the scope extrusion rule for 
new (third line) permits to enlarge the scope of a name and let a process receive it. In contrast, the scope 
extrusion rule for hide (fourth line) permits to enlarge the scope of a name, but at the same time it sets the 
name to blocked for the process which are being included in the scope, thus preventing them to receive 
the name. The last rule (fifth line) permits to swap the two binders. 

The first rule for reduction, [R-COM], says that an input process of the formx(y-^rB).P is allowed to 
synchronize with an output process x{z).Q and receive the name z, provided that z is not blocked (z B). 
The result of the synchronization is the progression of both the receiver and the sender, where the formal 
parameter in the input's continuation is replaced by the name z. Note that whenever 6 = 0we have the 
standard communication rule of the 7T-calculus. The main novelty is represented by the rule for trusted 
communication [R-T-COM]. This rule says that an output process can send a name z over x to a parallel 
process waiting for input on x, provided that z is explicitly declared as accepted (z G A) by the receiver. If 
this is the case, the name will replace the occurence of the formal parameter in the input's continuation. 
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Rules [R-New] and [R-HlDE] are for new and for hide respectively, and follow the same schema. The 
rules for parallel composition, replication and incorporating structural congruence are standard. 
We let P => P' whenever either (a) P -» > P' , or (b) P' = P. 

Example 2.1. We show how hide can be used to prevent the extrusion of a secret. Consider the process: 

P = [hide Z ][x(v}] x^z 

— def 

The process x(v) can be interpreted as an internal attacker trying to leak the name v to a context C[—\ = 
— | x(y).leak(y). By using the structural rule for enlarging the scope of hide in Figure\2\we infer that 
C[P] = [hidez][x(v) \x(y^rz)-leak{y)]. Whenever the name v is not declared secret, that is whenever v 7^ z, 
the leak cannot be prevented: by applying fR-COM7,fR-HlDE/, and fR-STRUCT7 we have C[P] — ► 
leak(v). Conversely, when the name v is protected by hide, that is v = z, we do not have any interaction 
and secrecy is preserved. 

Example 2.2. The combined use of the accept and block sets permits to avoid interference with the 
context. Consider the process below, where n > 0: 

P = [hidezi] • • • [hidez„] [■ • • [x[y :Z].P\ x( Zi )] ■■■} Z C { Zl , • • -z n },i e{l,...,n} 

def _ 

Take a context C[—\ = — \ (newy)\x(y) \\x(w). Such context is unable to send the fresh name y to P, 
because the input process in P is programmed to accept only trusted names protected by hide. Dually, 
the context cannot receive the protected name Zi- Therefore C and P cannot interact: C[P] — > Q implies 
that a)Q = C[[hidezi] • • • [hide Z „] [• • • [P{zi/y}\ ■■■}}orb)Q = C[P}. 



3 Observational equivalence 

In this section we define a notion of behavioral equivalence based on observables, or barbs. As the 
reader will notice, a distinctive feature of our observational theory is that trusted inputs are visible only 
under certain conditions, namely that the context knows at least a name that is declared as accepted. 
Conversely, processes trying to send a name protected by an hide declaration are not visible at all. The 
choice to work in a synchronous setting permits us to emphasize the differences among our theory and 
that of 71-calculus. However, the same results would hold for a secret asynchronous 7i-calculus, while 
the contrast would be less explicit as input barbs would not be observable. 

We say that a name x is bound in P if x € bn(P). An occurrence of y is hidden in P if such occurrence 
of y appears in the scope of a hide operator in P. 

Definition 3.1 (Barbs). We define: 

• P i x whenever P = C[x[y : A].Q] with x not bound in P and A n bn(P) 7^ A, or whenever P = 
C[x(y-i-B).Q] with x not bound in P. 

• P \.j whenever P = C\x(y).Q] with x not bound in P and y not hidden in P. 

Based on this definition, we have that Pi = f [hidex]z[y : x].Q, P2 == (newx)x(y ^-B).Q, and P3 == 
z \y : 0] . Q do not exhibit a barb z, written p J/ 7 for i = 1 , 2 , 3 . In contrast, when x^z and An{i}/0we 

def 

have that (newx)z[y : A].P\. Z , and when i/zwe have {h\dex}z(y + B) .P. Whenever P = [hidej]x(v).2 
with y 7^ x, we have P^ if y ^ v, and PJ4 otherwise. Weak barbs are defined by ignoring reductions. We 
let PJJ-v whenever P => P' and P' l x ; similarly PJJ^ whenever P P' and P' ij. 

Following the standard definition of observational equivalence, we are aiming at an equivalence 
relation that is sensitive to the barbs, is closed under reduction, and is preserved by certain contexts. 
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zeA 



*M *(«) 
x(y + B).P >P{zM x[y:A].P ^{z/y} 

P ► P' y^x 



, , *Cv) . . (y) x (y) 
x{y) .P > P (new y)P > P' 

x(y) x(y) 

P ► P' Q y Q' 



P\Q^P'\Q! 

x(y) (y)x(y) 
P >P' Q- >Q' y^fn(P) 

P\Q^ (newy)(/" | Q) 
a a 

P—*? xg fh(oc) P — »• P' jc g fn(q) 

a a 
(new*)P — > (new^)P' [hidex]P — > [hidex]P' 



P— >P' bn(«)nfn(Q) = 

p\q Ap'ie 



p — ^p' 



p' hp 



[L-In],[L-In-T] 



[L-0ut],[L-0pen] 



[L-Com] 



[L-Close] 



[L-New],[L-Hide] 



[L-Par],[L-Repl] 



Figure 3: Labelled transition system 



Definition 3.2 (Barb preservation). A relation ffl over processes is barb preserving ifP&Q, P\, x implies 
Q§ x , and P\. T implies Qij^. 

The requirement of reduction closure is to ensure that the processes maintain their correspondence 
through the computation. 

Definition 3.3 (Reduction closure). A relation M over processes is reduction-closed ifPM Q and P — > P' 
implies that Q^Q' and P' 3£Q'. 

We require contextuality with respect to the parallel composition, the new and the hide operators (cf. 
Section El). 

Definition 3.4 (Contextuality). A relation 3& over processes is contextual if P£%Q implies C[P]MC[Q\. 
Definition 3.5 (Observational equivalence). Observational equivalence, noted =, is the largest symmet- 
ric relation over processes which is barb preserving, reduction closed and contextual. 

Observational equivalence is difficult to establish since it requires quantification over contexts. In the 
next section we will introduce labelled transition semantics for the secret TT-calculus, and show that the 
induced bisimulation coincides with observational equivalence. Besides the theoretical interest, this will 
be also of help in proving that two processes are observationally equivalent. 



3.1 Characterization 

a 

The characterization relies on labelled transitions of the form P — > P , where a is one of the following 
actions: 

a = x(z) | x(z) | (z)x(z) | T 
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We let fn(x(z)) = {x}, fn(x{z)) = {x,z,}, and fn(z)x(z) = {x}. We define bn(x(z)) = {z}, bn(jt(z» = 
and bn((z)x(z)) = {z}. We let fn(r) = = bn(r). 

The transitions are defined by the rules in Figure [3j Action x(z) represents the receiving of a name 
z on a channel x. In rule [L-In], a process of the form x(y+B).P can receive a value z over x, provided 
that z is is not blocked {z^B). The received name will replace the formal parameter in the body of the 
continuation. Rule [L-lN-T] describes a trusted input, that is a process of the form x[y : A] .P that receives 
a variable z over x whenever z is accepted (z G A); the variable z will replace all occurrences of y in P. 
The action x(y) represents the output of a name y over x. This move is performed in [L-Out] by the 
process x(y).P and leads to the continuation P\>B. Communication arises in rule [L-Com] by means of 
a z action obtained by a synchronization of an x(y) action with a.x(y) action. Action (y)x(y) is fired when 
the name y sent over x is bound by the new operator and its scope is opened by using rule [L-Open]. 
The scope of the new is closed by using rule [L-CLOSE]. In this rule the scope of a name y sent over x 
is enlarged to include a process which executes a dual action x(y), giving rise to a synchronization of the 
two threads depicted by an action T. Rule [L-New] is standard for restriction. Rule [L-HlDE] says that 
process [hidejc]P performs an action a inferred from P, provided that the a does not contain x. Therefore 
extrusion of hidden channels is not possible, as previously discussed; note indeed that this the unique 
rule applicable for hide. Rule [L-Repl] performs a replication. 

We have a standard notion of bisimilarity; in the following, we let => be the reflexive and transitive 
closure of — > . 

Definition 3.6 (Bisimilarity). A symmetric relation & over processes is a bisimulation if whenever 

a T a T 

PMQ and P — > P then there exists a process Q' such that Q =^ — > => Q' and P' where f is 

the empty string and & = (X otherwise. Bisimilarity, noted ~, is the largest bisimulation. 

The following result establishes that bisimilarity can be used as a proof technique for observational 
equivalence; the proof is by coinduction and relies on the closure of bisimilarity under the new, hide and 
parallel composition operators. 

Proposition 3.7 (Soundness). IfP ps Q then P = Q. 

To prove the reverse direction, namely that behaviourally equivalent processes are bisimilar, we 
follow the approach of Hennessy |fT7l and proceed by co-induction relying on contexts C a which emit 
the desired barbs whenever they interact with a process P such that P P', and vice versa. Perhaps 
interestingly, we can program a context to check if a given name is fresh even if our syntax does not 
include a matching construct (cf. iMTl l8l). In Section [5] we will show that in the secret 7i-calculus the 
process if jc = y then P else Q can be derived. 

Proposition 3.8 (Completeness). If P ^ Q then P w Q. 

Proof. Let PM Q whenever P = Q and assume that P — > P' . We show that there is Q' such that Q => Q' 
and P 1 = M = Q'\ this suffices to prove that £% is included in observational equivalence (cf. |[22l ). 
Whenever a = T, we use reduction-closure of = to find Q' such that Q Q' with P' = Q' . By relyng 
on a lemma that establishes that reductions correspond to T actions, we infer that Q =^4> Q' , which is 
the desired result since P' . Otherwise assume a/i. We exploit contextuality of = and infer 
that C£ [P] ^ C% [Q] where we let A = fn(/ J ) U fn(£) and be defined below. We let A = {ai,...,a n }, 
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/ = I,... ,n, with n > 1, and assume names ft), t//i, .. . , \\r n such that {ft), i/^i, ... ,!//"„} HA = 0. 

qU-] = -l^).«o 



<%[-] = - I [hide*][x(z).(*[w : k] \ WQ) \ ieI ai(k) .\jfiQ] a=x(y),(y)x(y) 
C' y = [hide%[w> : k] \ W{) | /e ,3f(*).^()] V/ el.y^ a, 

C' y ' = [h\dek][W{) | YiO \iei\l <k( k )-Wi{)] <*l=y 

Assume a = x(y). We have that there is ai &A,ai =y such that C„[P] => = Cp = f P' \ C" We find 
a process Cg such that C«[Q] =>■ Cg = Cp. Since Cp| s ,4^ ( , this implies that Cg JJ-rajJJ-™- Therefore the 
weak barb ft) of Cq has been unblocked since Q emits a weak action a' with * as subject. Moreover, the 
object of a' is y, that is a' = a, because of the weak barb y//. Indeed the thread aj(k).\j7i() with a\= yean 
be unblocked only by y[w : k], because k is protected by the hide declaration. Therefore there is Q' such 
that Q=^Q' and C Q = Q'\ C". We conclude by showing that this implies P 1 = Q 1 , and in turn P'&Q', 

as requested. Assume a = (y)x{y). We have that C„[P] => = Cp = P' \ C' y . Since y is fresh we have 
that at ^ y for all a,- € A. Therefore Cp ^ for all i € /, because k is protected by hide. We easily obtain 
that there is Cq such that C„[g] => C e = Cp with Cq JJ- s #^, for all / G /. This let us infer that there 
is Q' such that Q^Q' and C Q = Q' \ C' y , and the result then follows by showing that P' \ C' y = Q' \ C' y 
implies P' ^ Q'. □ 

Full abstraction is obtained by Propositions 13 .7 1 and 13 . 81 
Theorem 3.9 (Full Abstraction). = = w. 



4 Distrusting communications protected by restriction 

In this section we introduce a spy process that represents a side-channel attack against communications 
that occur on untrusted channels, that is: channels that are not protected by hide. We assume that the spy 
is not able to retrieve the content of an exchange. The spy abstraction models the ability of the context to 
detect interactions when the processes are implemented by means of network protocols which do not rely 
on dedicated channels, and therefore require some mechanism to enforce the secrecy of the message (e.g. 
cryptography). This ability leads to break some of the standard security equations for the new operator, 
which can be recovered by re-programming the protocol and making use of the hide operator. We add to 
the syntax of the secret 7i-calculus the following process where we let spy be a reserved keyword. We let 
P, Q,R to range over spied processes. 



P,Q,R ::= ••• | spy : S.P spied processes 

S ::= {x} | spied set 

When in spy : S.P the spied set 5 is equal to {x}, noted spy : x.P, this permits to make explicit which 
(free) reduction the spy shall observe. Note that listening on multiple names can be easily programmed by 
putting in parallel several spies. The spy process spy : 0.P, noted spy.P, will be used to detect reductions 
protected by restriction. We let the free and bound names of the spy be defined as follows: fn(spy : 

S.R) = SUfn(tf) andbn(spy : S.R) = bn(R). 
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New rules for blocking a name 



(spy : S.P) tt) b = spy : S. (P HJ b) 



New rules for structural congruence 



(newjc)(P) | spy./? = (new;t)(P | spy : x.R) 
(newJc)(P) | spy : y.P = (newx)(P | spy : y.R) 
[hidex] [P] | spy : S.R = [hide*] [P | (spy : S.R) ttlx] 



x ^fn(spy.P) 
* ^ fn(spy : y.R) 
x g fn(spy : S.R) 



New reduction rules 



[RS-COM] 



x(y + B).P | x(z).Q | spy : x.R ->■ P{z/y} | g | R 
zeA 



[RS-T-Com] 



x\y :A].P\ x{z).Q | spy : x.R -> P{z/.y} | 2 | P 



Figure 4: Spied process semantics 



The semantics of spied processes is described by adding the communication rules in Figure@]to those 
in Figure [2 The rules describe a form of synchronization among three processes: a sender on channel x, 
a receiver on channel x, and a spy on channel x. More in detail, rule [RS-COM] depicts a synchronization 
among an input of the form x(y -=-P).P, a sender and a spy, while rule [RS-T-COM] describes a similar 
three-synchronization but for a trusted input of the form x[y : A].P. 

The definition of observational equivalence for spied processes is obtained by extending Denni- 

tion 13.51 to the semantics in Figure [4} we indicate the resulting equivalence with =. This will permit to 
study the security of processes in presence of the spy. 

To make the picture clear, in Figure[5]we introduce labelled transition semantics for spied processes. 
We consider two new actions ?x and \x corresponding respectively to the presence of a spy and to a signal 
of communication. 



We assume the existence of variable v € JV that cannot occur in the process syntax, and we use it 
to signal restricted communications. It is convenient to define the notion of (free) subject and object of 

def 

an action. We let subj(a) = {x} whenever a = x{y), (y)x(y),x(y), and be empty otherwise. We define 

def 

obj(a) = {y} whenever a = x(y),x(y), and obj(a) = otherwise. 

The Its in Figure[5]introduces three new rules for the spy, [L-Spy], [L-Spy-Res] and [L-Spy-Com], 
and re-defines the rules for restriction, for hide and for communication of Figure [3] In rule [L-Spy] the 
process spy : x.P can fire an action Ix and progress to P. The dual action, \x, is fired in rules [L-COM] 
and [L-CLOSE] whenever a communication occurred on a free channel x. Rule [L-Spy-Com] describes 
the eaves-dropping of a communication. A process of the form spy.P can only fire an action ?v through 
rule [L-Spy-Res]. In rule [L-New] we use a partial function fl-D* to relabel the action fired underneath 

a restriction: we let (ja[) x = f a whenever x $ fn(a), <\lx\) x = f !v, d?x|) x = ?V. This will be used to 
signal restricted communications, as introduced. Differently, in rule [L-HlDE] we use a relabeling partial 



a 



ix I be 
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7x ?v 
spy : x.P — > P spy.P — > P 

xiy) , x(y) x(y) (y)x(y) 

P — >P Q — >Q P — >P Q > Q y^fn(P) 

P\Q-^P' \Q! P\Q A(newj)(P'|eO 

\ x i x 

P\Q^P'\Q' 
pAp' x^subj(a) P^P' x ^subj(a)Uobj(a) 

[a) x [[a]l 
(newx)P ->■ (newx)P' [hidex]P > [hidex]P' 



[L-Spy],[L-Spy-Res] 



[L-Com],[L-Close] 



[L-Spy-Com] 



[L-New],[L-Hide] 



Figure 5: Labelled transitions for spied processes 

def 

function [-] x that makes invisible communications that occur under hide. We let [a] x = a whenever 
x £ fn(a), [!x], = t and [?x], = t. 

Definition 4.1 (Bisimilarity). A symmetric relation & over spied processes is a bisimulation if whenever 

a T a T 

R\&R2 and Ri — > R' then there exists a spied process R such that R2 =>■ — > =>■ R" and R' &R" 

where t is the empty string, and a = OC otherwise. Bisimilarity, noted ~, is the largest bisimulation. 

By using the same construction of Section |3~T1 we obtain the main result of this section: observational 
equivalence for spied processes and bisimilarity coincide. As a by-product, we can also use bisimulation 
as a technique to prove that two processes cannot be distinguished by the spy. 

• • 

Theorem 4.2 (Full Abstraction). = = «. 

Sketch of the proof. To see that behavioural equivalence is included in bisimilarity, we proceed by co- 
induction as in the proof of Proposition l3.8l by relying on contexts C„ that detect whenever a process does 
emit a weak action a. Given a set of names A such that fn(a) C A and CO £ A we define the following 
contexts to account for the new actions !x and ?x. 

Cfc[-] ^spy.x.WQ 

Ct[-] d =! f x(>O.<0<}|x<) 

Cf v [-] = spy.^0 

CtH = (newx)(x()0.oJ()|x(}) 

The proof then proceeds routinely by following a schema similar to the one of Proposition 13.81 The 
reverse direction, namely that bisimilarity is contained in behavioural equivalence, is shown by proving 
that is closed under the new, hide, and parallel composition operators. See ifTBI for all the details. □ 



x / V 
x / V 
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5 Properties of the secret 7T-calcuhis 

In this section we discuss some algebraic properties of the secret 7T-calculus, and we show how we can 

implement the name matching operator. Lastly we provide an example of deployment of a mandatory 

• 

access control policy that is inspired by the D-Bus technology |[2D . In the following, we write P ^ Q 

to indicate that (P, Q) =. We also write x() and omit to indicate the message in output whenever 
this is irrelevant, and use the notation [hidefi]P to indicate the process [hide&i] • • • [h\deb n ]P whenever 
B = {b h ...,b n }. 

Algebraic equalities and inequalities The first inequality illustrates the mechanism of blocked names. 

x(y^B).P^x(y^B').P B ^ B' (2) 

To prove © let z € B', z B and consider the context C[— ] = f [hide B,B']\x(z). To () \ — ] with CO free, 
CO fn(P). By applying [R-COM] followed by applications of [R-HlDE] we have that C[x(y -f- B) .P] — > 
[hide B,B'][m() \ P{z/y}], that is C[x(y).P] In contrast, we have that C[x(y+B').P]4a, because of 
z € B' . The case B' C B is analogous. 

We have a similar result for accepted names. 

x[y:A].P^x[y:A'].P A^A' (3) 

A distinguishing context is C[— ] = x(a).CO() | — where CO is fresh and a G A, a $ A' if A <£ A', and 
a S A', a A otherwise. 

The next inequality illustrates the discriminating power of the spy. 

(newx)(x(z) |x(y))£o (4) 

To prove (0]>, consider the context C[— ] = spy.w() | — . By applying [RS-COM] and [R-New] followed 
by [R-Struct] we infer C[(newx)(x(y) \x(y))} WQ: that is, C[(newx)(x(y) \ x(y))]il> a while C[0]^. 

The invisibility of communications protected by using the hide operator is established by means of 
the equation below, which is proved by co-induction. 

[hidex] [x(z) | x(y).Q) ^ [hidex] [Q{z/y}\ (5) 
The last equation states the impossibility of extrusion of hidden channels. 

[hidex] [z(x)] ^0 (6) 

Implementing name matching Name matching is not needed as an operator in our calculus (cf. lfT2l ). 
We show this by providing a semantics-preserving translation of the if-then-else construct [17 ]. Consider 
the process ifx = y then P else Q which reduces to P whenever x = y, and reduces to Q otherwise. Let 

def 

Z = fn(ifx = y then/ 5 else 2); therefore there are names z,i, ... ,z n , n> 0, s.t. Z = {x,zi, ■ ■ ■ ,z n }- Let 
/ = {1, . . . ,n} and assume k fresh. We define: 

rlpf 

[ifx = ythenPelse2] z = [hideJfc][y[w : k] \ x(k).(PWk) \iTi(k).(Q\&k)] 
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Whenever x = y, we have that the only possible reduction arises among the trusted input y[w : k] and 

def 

x(k).(Pi£k), leading to F = [hidefc][PUfc \iTi{k) .{Q^Sk)]. Note that P and F have the same interactions 
with the context, because k is blocked in all threads of P': therefore Q cannot be unblocked. This result 
can be formalized by relying on the behavioural theory Q of the secret 71-calculus. 
We infer the following equation: 

[ ifx =* then P else g] z =P (7) 

Consider now the case x ^ y and let y = zi- The matching process reduces to the rearranged process 
[hide (Pfcdifc) | Q&k |{2,...,n} Ti{k)(Q\£k)], which has the same behaviour of Q: 

[ if* = ;y then P else £2j z = (2 x^y (8) 



Modeling dedicated channels Security mechanisms based on dedicated channels can be naturally 
modeled in the secret 7i-calculus. D-Bus li2T1 is an IPC system for software applications that is used in 
many desktop environments. Applications of each user share a private bus for asynchronous message- 
passing communication; a system bus permits to broadcast messages among applications of different 
users. Versions smaller than 0.36 contain an erroneous access policy for channels which allows users to 
send and listen to messages on another user's channel if the address of the socket is known. We model 
this vulnerability by means of an internal attacker that leaks the user's channel. In the specification 
below, two applications of an user U\ utilize a private bus to exchange a password; in fact, the password 
can be intercepted by the user U% through the malicious code \sys(c) of U\, which publishes c on the 
system bus. 

d e f fief 

Uy = (new c)(\sys(c) \ (newpwd)c(pwd) \ c(x).P) U2 = sys{x).x{y pwc i)-Q (9) 

The patch released by Fedora restricts the access to the user's bus: only applications with the same 
user-id can have access. We stress that this policy is mandatory: that is, the user cannot change it. 

By using the secret 71-calculus we can easily patch U\ by hiding the bus: U' = [hidec][!5ys(c) | 
(newpwd)(c(pwd)) \ c(x).P]. The following equation, which can be proved co-inductively, states that 
the policy is fulfilled even in presence of internal attacks: 

U' ^ [h\dec][(newpwd)(P{pwd/x})} (10) 



6 Related work 

Many analysis and programming techniques for security have been developed for process calculi. Among 
these, we would mention the security analysis enforced by means of static and dynamic type-checking 
(e.g. lfT3l[T6l[T0l ). the verification of secure implementations and protocols that are protected by cryp- 
tographic encryption (e.g. E |U [2J [HI), and programming models that consider a notion of location 

(e.g. El ML Ml 

The paper [13] introduces a type system for a % -calculus with groups that permits to control the 
distribution of resources: names can be received only by processes in the scope of the group. The intent 

'Note that observational equivalence is not preserved by input-prefixing; the outlined translation could be indeed sensitive 
to name aliasing. 
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is, as in our paper, to preserve the accidental or malicious leakage of secrets, even in the presence of un- 
typed opponents. A limitation of lfl3ll is that processes that are not statically type-checked are interpreted 
as opponents trying to leak secrets. On contrast, our aim is to consider systems where processes could 
dynamically join the system at run-time; this permits us to analyze the secrecy of protocols composed by 
trusted sub-systems that can grow in size of the number of the participants. While devising an algorithm 
for type checking groups can be non-trivial (cf. l25l ). we note that actual systems do not often rely on 
types, even for local communications. For instance D-Bus (cf. Section [5]) relies on a mandatory access 
control policy enforced at the kernel level through process IDs. Our semantics-based approach appears 
as adequate to describe such low-level mechanisms. 

As discussed in the introduction, concrete implementations of 7T-calculi models do protect communi- 
cations by means of cryptography. The problem of devising a secure, fully abstract implementation has 
been first introduced in [1] and subsequently tackled for the join calculus in H. The paper [7 ] introduces 
a bisimulation-based technique to prove equivalences of processes using cryptographic primitives; this 
can be used to show that a protocol does preserve secrecy. We follow a similar approach and devise 
bisimulation semantics for establishing the secrecy of processes running in an environment where the 
distribution of channels is controlled. The presence of a spy in our model is reminiscent of the network 
abstraction of O. In that paper, the network provides the low-level counter part of the model where 
attacks based on bit-string representations, interception, and forward/reply can be formalized. 

From the language design point of view, we share some similarity with the ideas behind the boxed 
7r-calculus (24). A box in E4l acts as wrapper where we can confine untrusted process; communication 
among the box and the context is subject to a fine-grained control that prevents the untrusted process to 
harm the protocol. Our hide operator is based on the symmetric principle: processes within the scope of 
an hide can run their protocol without be disturbed by the context outside it. 

An interesting approach related to ours in spirit - but not in conception or details - is D-fusion |6j. 
The calculus has two forms of restriction: A "v" operator for name generation, and a "A" operator that 
behaves like an existential quantifier and it can be seen as a generalization of an input binder. Both 
operators allow extrusion of the entities they declare but only the former guarantees uniqueness. In 
contrast our hide operator is not meant as an existential nor as an input-binder and it prevents the extrusion 
of the name it declares. 
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